Bring your own device (BYOD) security best practices
In today’s landscape, going to work has become synonymous with waking up and turning the computer on in another room. Remote work has morphed into the norm for many industries over the past year. In the face of a global pandemic, organizations have been forced to adapt to telecommuting. Luckily, many of today’s jobs can be performed remotely, and the multitude of cloud technologies available make it possible for business teams to collaborate on projects from miles away without missing a beat.
The rapid rise of remote work may not have been possible without the creation of a Bring Your Own Device (BYOD) policy.
According to IBM, BYOD is “... an IT policy that allows, and sometimes encourages, employees to access ... data and systems using personal mobile devices such as smartphones, tablets, and laptops.”
- The COVID-19 pandemic pushed the incidence of U.S. full-time employees working from home from 33% to 61% (Gallup)
- From January to April 2020, access to the cloud by unmanaged, personal devices doubled (Help Net Security)
- 84% of organizations report they're likely to continue to support remote work flexibility long after stay-at-home orders are lifted (Bitglass)
- 70% of large businesses believe remote work makes them more vulnerable to cyberattacks (AT&T Communications)
BYOD security awareness is challenging for companies that deal with sensitive and confidential data. Especially now that working from home has been transformed from a privilege to a survival tactic, BYOD security issues and challenges must be adequately addressed.
Organizations in the financial sector especially, whose information is sure to be targeted by outsiders (either to extract and exploit it or to introduce deliberate errors or simply cripple the ability to use it), must give BYOD security best practices keen consideration.
One of the most used BYOD security solutions is mobile device management (MDM), which helps administer and manage BYOD. MDM is a process that enables administration of mobile devices, such as smartphones, tablet computers, and laptops. MDM is usually implemented with the use of a third-party product that has management features for particular vendors of mobile devices.
Though closely related to enterprise mobility management (EMM) and unified endpoint management (UEM), MDM differs slightly from both. Unlike MDM, EMM includes mobile information management, BYOD, mobile application management, and mobile content management, whereas UEM provides device management for endpoints like desktops, printers, IoT devices, and wearables as well.
All MDM products are built with an idea of containerization that provides elevated security. Containerization adequately addresses security and privacy considerations. The MDM container operates within its boundary and is secured using the latest cryptographic techniques (AES-256 or more preferred).
Corporate data such as email, documents, and enterprise applications are encrypted and processed inside the container. This ensures that corporate data is separated from the user's personal data on the device. Additionally, encryption for the entire device and/or SD Card can be enforced depending on MDM product capability.
Organizations can distribute, manage, and upgrade applications on an employee's device using an app catalog. This allows applications to be pushed onto the user's device directly from the App Store, or a company can push an enterprise-developed private application through the app catalog. This provides an option for the organization to deploy devices in kiosk mode or lock-down mode.
BYOD Security Risks
The organization that allows its employees' devices to access its corporate network and work with its sensitive data faces two basic risks:
- Cyber security threats that can attack their software or data from outside sources
- Loss of data due to physical damage or accidental deletion of files if the data is not backed up
The BYOD security policy has had to be enhanced to include mobile devices and its practical solutions for BYOD threats and vulnerabilities in these areas.
One of the worst BYOD cyber security threats is malware, a type of program that exploits a vulnerability in a device's software. Malware is often introduced from downloading rogue files and then trying to elevate access into the device or other devices on the network, or with the internet at large.
Introducing BYOD devices into a network increases and complicates this threat because worms may be designed to exploit arcane technical characteristics of a single widely sold device or perhaps widely used software such as the Android or iOS operating system itself.
Cyber security threats are becoming more and more often attributed to foreign actors in Russia or China, and Chinese manufacturers and software houses are providing more and more of the computers and software that companies use. Companies holding government contracts have been barred from using certain brands of smartphones.
BYOD Security Challenges
Determining exactly where and how mobile devices are necessary is an initial BYOD security challenge for organizations when implementing security policies. This involves a preliminary risk analysis on which data need to be accessed using BYOD devices. Difficulty arises when employees’ personal data is accessed and controlled on the same device.
Another issue to consider is when employees share jobs or when an employee’s job encompasses many roles. Mobile devices sometimes may cause data integrity issues when job sharing is involved, as employees may modify data differently.
Access control for mobile devices coincides with the previous challenge. Companies need to determine permission levels for each employee when accessing certain company resources with personal devices and external network connections.
Other factors that determine access control specifications include setting time limits, limiting how many people can access certain resources at one time, and how employees will gain access to company resources. Access control issues and considerations vary according to the business size, location, number of employees, and industry.
Incorporating data security measures to cover a range of portable devices against threats and attacks is complicated, as employees will own an unpredictable range of devices with different operating systems, meaning the security requirements of each needs to be equally supported where possible.
Clashes between operating systems such as requirements, behaviors, conditions, and default security issues will determine security measures required. Constantly adjusting security measures to protect all devices is a heavy strain on resources and personnel responsible for maintaining them.
BYOD Security Policy
Besides the technical considerations of BYOD security, there are the legal implications, especially involving employee privacy and personal data. Some jurisdictions such as the European Union have strict policies—with high fines and penalties—that protect citizens of their jurisdiction, whether or not the person owning the data or the system processing it is physically present in the jurisdiction.
A company that is found in violation of the European Union General Data Protection Regulation (GDPR) regarding the personal information of one or more employees that are EU citizens, whether or not the system processing the information is in the EU, can be subject to fines as high as 20 million euros or 4% of the company's global revenue. A carefully crafted BYOD policy based on a BYOD security policy template can help reduce the risk.
A BYOD policy for small business may be different than what is required for global corporations. Much of the research on BYOD focuses on the following items that must be mutually agreed upon by the employer and employee:
- Keep personal information private and separate from corporate data (SANS.edu Graduate Student Research)
- Mobile device enrollment must be simple
- Enrollment should be done over the air
- Devices should be continually monitored for compliance
In conjunction with developing an MDM security plan, it’s important to develop an acceptable use policy (AUP), which informs users how they are expected to use their devices and software regarding company work.
There should be procedures established for the IT staff to handle BYOD corporate data and personal data. Because the mobile device belongs to the employee, the risk factor associated with allowing a user to connect his or her personal device to the corporate network must be clearly understood by both parties.
SANS advises, “End-user education and responsibility should include guidance on reporting procedures if a personal device is lost or stolen, device encryption requirements, device locking / screen locking, antivirus / malware protection, and [additional security tips].”
BYOD Security Policy Best Practices
- Establish security policies for all BYOD devices—before you give employees the freedom to access company resources from anywhere, set stringent security guidelines
- Define acceptable use guidelines
- Use a mobile device management (MDM) software
- Communicate BYOD policies to all parties
- Set up an employee exit plan to protect organization data
Sophos outlines some BYOD policy scoping guidelines to consider:
- “All mobile devices, whether owned by [company] or owned by employees, inclusive of smartphones and tablet computers, that have access to corporate networks, data and systems are governed by the mobile device security policy. The scoping of the policy should not include corporate IT-managed laptops.
- “Exemptions: Where there is a business need to be exempted from the policy (too costly, too complex, adversely impacting other business requirements), a risk authorized by security management must be conducted.
- “Applications used by employees on their own personal devices which store or access corporate data, such as cloud storage applications, are also subject to this policy.”
A sample BYOD policy for small business can be obtained here. This document can also be used as a mobile device policy template.